amazonka-sts 0.3.4 → 0.3.5
raw patch · 7 files changed
+70/−43 lines, 7 filesdep ~amazonka-corePVP ok
version bump matches the API change (PVP)
Dependency ranges changed: amazonka-core
API changes (from Hackage documentation)
Files
- amazonka-sts.cabal +2/−2
- gen/Network/AWS/STS/AssumeRoleWithSAML.hs +23/−15
- gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs +27/−18
- gen/Network/AWS/STS/DecodeAuthorizationMessage.hs +7/−4
- gen/Network/AWS/STS/GetFederationToken.hs +5/−3
- gen/Network/AWS/STS/GetSessionToken.hs +5/−0
- gen/Network/AWS/STS/Types.hs +1/−1
amazonka-sts.cabal view
@@ -1,5 +1,5 @@ name: amazonka-sts-version: 0.3.4+version: 0.3.5 synopsis: Amazon Security Token Service SDK. homepage: https://github.com/brendanhay/amazonka license: OtherLicense@@ -46,5 +46,5 @@ other-modules: build-depends:- amazonka-core == 0.3.4.*+ amazonka-core == 0.3.5.* , base >= 4.7 && < 5
gen/Network/AWS/STS/AssumeRoleWithSAML.hs view
@@ -31,20 +31,22 @@ -- access key ID, a secret access key, and a security token. Applications can -- use these temporary security credentials to sign calls to AWS services. The -- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the--- SAML authentication response's 'NotOnOrAfter' value, whichever is shorter.+-- SAML authentication response's 'SessionNotOnOrAfter' value, whichever is+-- shorter. ----- Optionally, you can pass an IAM access policy to this operation. If you--- choose not to pass a policy, the temporary security credentials that are--- returned by the operation have the permissions that are defined in the access--- policy of the role that is being assumed. If you pass a policy to this--- operation, the temporary security credentials that are returned by the--- operation have the permissions that are allowed by both the access policy of--- the role that is being assumed, /and/ the policy that you pass. This gives you--- a way to further restrict the permissions for the resulting temporary--- security credentials. You cannot use the passed policy to grant permissions--- that are in excess of those allowed by the access policy of the role that is--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>--- in /Using Temporary Security Credentials/.+-- The maximum duration for a session is 1 hour, and the minimum duration is 15+-- minutes, even if values outside this range are specified. Optionally, you+-- can pass an IAM access policy to this operation. If you choose not to pass a+-- policy, the temporary security credentials that are returned by the operation+-- have the permissions that are defined in the access policy of the role that+-- is being assumed. If you pass a policy to this operation, the temporary+-- security credentials that are returned by the operation have the permissions+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the+-- permissions for the resulting temporary security credentials. You cannot use+-- the passed policy to grant permissions that are in excess of those allowed by+-- the access policy of the role that is being assumed. For more information,+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/+-- . -- -- Before your application can call 'AssumeRoleWithSAML', you must configure your -- SAML identity provider (IdP) to issue the claims required by AWS.@@ -133,8 +135,11 @@ -- | The duration, in seconds, of the role session. The value can range from 900 -- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set -- to 3600 seconds. An expiration can also be specified in the SAML--- authentication response's 'NotOnOrAfter' value. The actual expiration time is--- whichever value is shorter.+-- authentication response's 'SessionNotOnOrAfter' value. The actual expiration+-- time is whichever value is shorter.+--+-- The maximum duration for a session is 1 hour, and the minimum duration is 15+-- minutes, even if values outside this range are specified. arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural) arwsamlDurationSeconds = lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })@@ -150,6 +155,9 @@ -- the access policy of the role that is being assumed. For more information, -- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/ -- .+--+-- The policy must be 2048 bytes or shorter, and its packed size must be less+-- than 450 bytes. arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text) arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })
gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs view
@@ -24,8 +24,16 @@ -- | Returns a set of temporary security credentials for users who have been -- authenticated in a mobile or web application with a web identity provider,--- such as Login with Amazon, Amazon Cognito, Facebook, or Google.+-- such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID+-- Connect-compatible identity provider. --+-- For mobile applications, we recommend that you use Amazon Cognito. You can+-- use Amazon Cognito with the <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to+-- uniquely identify a user and supply the user with a consistent identity+-- throughout the lifetime of an application.+--+-- To learn more about Amazon Cognito, see <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview> in the /AWSSDK for Android Developer Guide/ guide and <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview> in the /AWSSDK for iOS Developer Guide/.+-- -- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security -- credentials. Therefore, you can distribute an application (for example, on -- mobile devices) that requests temporary security credentials without@@ -58,18 +66,15 @@ -- identity provider that is associated with the identity token. In other words, -- the identity provider must be specified in the role's trust policy. ----- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity', see the following resources:+-- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity' API, see the following resources: ----- Creating a Mobile Application with Third-Party Sign-In and Creating--- Temporary Security Credentials for Mobile Apps Using Third-Party Identity--- Providers in /Using Temporary Security Credentials/. Web Identity Federation--- Playground. This interactive website lets you walk through the process of+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider Creating a Mobile Application with Third-Party Sign-In> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html CreatingTemporary Security Credentials for Mobile Apps Using Third-Party IdentityProviders> in /Using Temporary Security Credentials/. <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity FederationPlayground>. This interactive website lets you walk through the process of -- authenticating via Login with Amazon, Facebook, or Google, getting temporary -- security credentials, and then using those credentials to make a request to--- AWS. <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and AWS SDK for Android. These toolkits contain sample+-- AWS. <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These toolkits contain sample -- apps that show how to invoke the identity providers, and then how to use the -- information from these providers to get and use temporary security--- credentials. Web Identity Federation with Mobile Applications. This article+-- credentials. <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>. This article -- discusses web identity federation and shows an example of how to use web -- identity federation to get access to content in Amazon S3. --@@ -164,10 +169,14 @@ arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text) arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a }) --- | The fully-qualified host component of the domain name of the identity--- provider. Specify this value only for OAuth access tokens. Do not specify--- this value for OpenID Connect ID tokens, such as 'accounts.google.com'. Do not--- include URL schemes and port numbers. Currently, 'www.amazon.com' and 'graph.facebook.com' are supported.+-- | The fully qualified host component of the domain name of the identity+-- provider.+--+-- Specify this value only for OAuth 2.0 access tokens. Currently 'www.amazon.com'+-- and 'graph.facebook.com' are the only supported identity providers for OAuth+-- 2.0 access tokens. Do not include URL schemes and port numbers.+--+-- Do not specify this value for OpenID Connect ID tokens. arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text) arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a }) @@ -236,9 +245,9 @@ arwwirAssumedRoleUser = lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a }) --- | The intended audience of the web identity token. This is traditionally the--- client identifier issued to the application that requested the web identity--- token.+-- | The intended audience (also known as client ID) of the web identity token.+-- This is traditionally the client identifier issued to the application that+-- requested the web identity token. arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text) arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a }) @@ -258,7 +267,7 @@ -- | The issuing authority of the web identity token presented. For OpenID -- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0--- Access Tokens, this contains the value of the 'ProviderId' parameter that was+-- access tokens, this contains the value of the 'ProviderId' parameter that was -- passed in the 'AssumeRoleWithWebIdentity' request. arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text) arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })@@ -267,8 +276,8 @@ -- identifier is associated with the 'WebIdentityToken' that was submitted with -- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the -- user and the application that acquired the 'WebIdentityToken' (pairwise--- identifier). If an OpenID Connect ID token was submitted in the 'WebIdentityToken', this value is returned by the identity provider as the token's 'sub'--- (Subject) claim.+-- identifier). For OpenID Connect ID tokens, this field contains the value+-- returned by the identity provider as the token's 'sub' (Subject) claim. arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text) arwwirSubjectFromWebIdentityToken = lens _arwwirSubjectFromWebIdentityToken
gen/Network/AWS/STS/DecodeAuthorizationMessage.hs view
@@ -30,10 +30,13 @@ -- (an HTTP 403 response). Some AWS actions additionally return an encoded -- message that can provide details about this authorization failure. ----- The message is encoded because the details of the authorization status can--- constitute privileged information that the user who requested the action--- should not see. To decode an authorization status message, a user must be--- granted permissions via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.+-- Only certain AWS actions return an encoded authorization message. The+-- documentation for an individual action indicates whether that action returns+-- an encoded message in addition to returning an HTTP code. The message is+-- encoded because the details of the authorization status can constitute+-- privileged information that the user who requested the action should not see.+-- To decode an authorization status message, a user must be granted permissions+-- via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action. -- -- The decoded message includes the following type of information: --
gen/Network/AWS/STS/GetFederationToken.hs view
@@ -31,9 +31,11 @@ -- where those credentials can be safely stored, usually in a server-based -- application. ----- Note: Do not use this call in mobile applications or client-based web--- applications that directly get temporary security credentials. For those--- types of applications, use 'AssumeRoleWithWebIdentity'.+-- If you are creating a mobile-based or browser-based app that can+-- authenticate users using a web identity provider like Login with Amazon,+-- Facebook, Google, or an OpenID Connect-compatible identity provider, we+-- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito> or 'AssumeRoleWithWebIdentity'. For more+-- information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile AppsUsing Identity Providers> in /Using Temporary Security Credentials/. -- -- The 'GetFederationToken' action must be called by using the long-term AWS -- security credentials of an IAM user. You can also call 'GetFederationToken'
gen/Network/AWS/STS/GetSessionToken.hs view
@@ -38,6 +38,11 @@ -- created by using account credentials have a maximum duration of 3600 seconds -- (1 hour). --+-- We recommend that you do not call 'GetSessionToken' with root account+-- credentials. Instead, follow our <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices> by creating one or more IAM+-- users, giving them the necessary permissions, and using IAM users for+-- everyday interaction with AWS.+-- -- The permissions associated with the temporary security credentials returned -- by 'GetSessionToken' are based on the permissions associated with account or -- IAM user whose credentials are used to call the action. If 'GetSessionToken' is
gen/Network/AWS/STS/Types.hs view
@@ -93,7 +93,7 @@ -> RESTError -> Bool check (statusCode -> s) (awsErrorCode -> e)- | s == 400 && "Throttling" == e = True -- Throttling+ | s == 400 && (Just "Throttling") == e = True -- Throttling | s == 500 = True -- General Server Error | s == 509 = True -- Limit Exceeded | s == 503 = True -- Service Unavailable